The confusing state of Microsoft’s TMG and UAG firewall and proxy software

I have been trying out Microsoft’s ForeFront Unified Access Gateway (UAG) recently, partly because it is the only supported way to publish a SharePoint site for Windows Phone. This was my first go with the product, though I am already familiar with the Threat Management Gateway (TMG) and its predecessor Internet Security and Acceleration Server (ISA) – and before that Proxy Server, dubbed “Poxy Server” by admins frustrated with its limitations. All these products are related, and in the case of UAG and TMG, more closely than I realised.

Note that Microsoft has indicated that the current version of TMG, 2010, is the last. What is happening to UAG is less clear.

What I had not realised until now is that TMG installs as part of UAG, though you are not meant to use it other than for a few limited uses. It is mainly there to protect the UAG server. The product positioning seems to be this:

Use UAG for publishing applications such as SharePoint, Direct Access (access to Windows files shares over the internet) and Exchange. It is essentially a reverse proxy, a proxy for publishing and protecting server applications.

Use TMG for secure internet access for users on your network.

This means that if you want to use Microsoft’s platform for everything possible, you are expected to run both UAG and TMG. That is OK for enterprises but excessive for smaller organisations. It is odd, in that TMG is also a capable reverse proxy. TMG is also easier to use, though that says more about the intricate user interface of TMG than it does about the usability of TMG. Neither product can be described as user friendly.

The complexity of the product is likely to be one of the reasons TMG is now being discontinued. It is a shame, because it is a decent product. The way TMG and ISA are designed to work is that all users have to authenticate against the proxy before being allowed internet access. This gives administrators a high degree of control and visibility over which users access which sites using which protocol.

Unfortunately this kind of locked-down internet access is inconvenient, particularly when there are a variety of different types of device in use. In many cases admins have to enable SecureNAT, or in other words unauthenticated access, partly defeating the purpose, but there is little choice.

ISA Server used to be supplied as part of Small Business Server (SBS); but when I spoke to Microsoft about why it was dropped in SBS 2008, I was told that few used it. Businesses preferred a hardware solution, whether a cheap router modem from the likes of Netgear or Linksys, or a security appliance from a company like Sonicwall, Cisco or Juniper.

The hardware companies sell the idea that a hardware appliance is more secure, because it is not vulnerable to Windows or Linux malware. There is something in the argument, but note that all security appliances are more software than hardware, and that a Windows box will be patched more regularly. ISA’s security record was rather good.

My hunch is that ease of use was a bigger factor for small businesses. Getting ISA or TMG to do what you want can be even more challenging that working out the user interface of a typical hardware appliance, though perhaps not with the more complex high-end units.

As for UAG, I have abandoned the idea of testing it for the moment. One of the issues is that my test setup has only one external IP. UAG is too elaborate for a small network like mine. I am sticking with TMG.